Researcher calls Apple “negligent” over iPhone security

A speaker at a Black Hat conference has called into question the security of …

As you may recall, the end of July brought with it the first, highly-anticipated, iPhone update. The iPhone Update 1.0.1 brought with it a number of security fixes that put a stop to a few "hacks" that allowed individuals to run arbitrary code on an unsuspecting iPhone. According to CRN, the author of the first known iPhone exploit, Charles Miller, revealed Thursday at a Black Hat conference that the iPhone and its OS X underpinnings are a lot more vulnerable to attacks than is widely believed. Miller even goes as far as calling Apple "negligent" regarding the iPhone exploit he discovered.

Much of Miller's argument, stems from Apple's use of "outdated versions of open source code." It is not news to anyone that Apple uses open source packages inside its operating system: Perl, the bash shell, Webkit, and CUPS just to name a few. But are they really out of date? If you compare the Perl install in OS 10.4.10 to an up to date Ubuntu machine, you find 5.8.6 on the OS X machine and 5.8.8 on the Ubuntu machine. If you check into the Bash version, you find that Apple's OS runs 2.05b0(1) while the Ubuntu install runs 3.2.13—quite the difference. According to Miller, this is how you take advantage of OS X and, more specifically, the iPhone:

"Here's my formula for finding a zero-day [vulnerability] on a Mac; here's what you do," said Miller in his presentation. "First, find an open source package that they use that's out of date—there's plenty of those. Read through the changelog for the current version of that software, find a usable bug that's been fixed in the newer versions. And you're done. You don't have to worry about static analysis or fuzzing or any of that stuff."

According to our own Linux gurus, old version numbers aren't always a problem. Admittedly simplified for my understanding, new security patches can be backported to older versions of the software package, in turn fixing the hole but not breaking compatibility with the rest of the OS. However, it is Miller's contention that it is the time between the release of the security fix by the open source project and Apple's backporting that causes the problem. He admits that this is a problem in most operating systems and as compared to Microsoft, Apple does much better with the speed of its security patches.

Apparently Apple's security practices aren't enough. According to Miller, there will continue to be iPhone and OS X exploits and they wont all be discovered by the "good guys." If the iPhone becomes as successful as the iPod has, it will no doubt become a popular platform to hack by those with good intentions and bad.